public keys in signatures

The signatures contains the public key. This has consequences for implementation that may lead to subtle bugs - consider if implementations mix up the untrusted key in the signature with a trusted public key, or if there are subtle differences in the public keys but both are able to verify the signature. It isn't clear what requirements we want to place on different kind of formats.

I'm opening this bug so we don't forget about this aspect. The original reporter may come forward and describe this problem better than I'm able to, if per wishes.